- An Integrated Approach for Physical and Cyber Security Risk Assessment: the U. S. Army Corps of Engineers Common Risk Model for Dams
- Improving Governance and Budget Execution Oversight at the DHS National Protection and Programs Directorate (NPPD)
- Operational Test and Evaluation of the Continuous Diagnostics and Mitigation (CDM) Program in the Department of Homeland Security (DHS)
- Operational Test & Evaluation of the National Cybersecurity Protection Systems (NCPS) In the Department of Homeland Security
- Strategic Analysis of Cybersecurity Data Flows
- Threat Analysis for Critical Infrastructure Guidance/Risk and Risk Management Capabilities Development
An Integrated Approach for Physical and Cyber Security Risk Assessment: the U. S. Army Corps of Engineers Common Risk Model for Dams
Improving Governance and Budget Execution Oversight at the DHS National Protection and Programs Directorate (NPPD)
Operational Test and Evaluation of the Continuous Diagnostics and Mitigation (CDM) Program in the Department of Homeland Security (DHS)
Operational Test & Evaluation of the National Cybersecurity Protection Systems (NCPS) In the Department of Homeland Security
The DHS Deputy Assistant Secretary for Cybersecurity Strategy and Emergency Communications asked IDA to characterize information flow among and between government and private sector entities (consumers) and organizations that create, capture, transform, and distribute information on cyber and control system security vulnerabilities and threats. Focusing on six critical infrastructure sectors (i.e., communications, electricity subsector of energy, financial services, healthcare and public health, transportation systems, and water and wastewater), the IDA team used several tools to visualize and analyze the collected information, establishing connections among and between sector entities. The team analyzed cybersecurity threat information flow at the strategic, operational, and tactical levels, identifying products and services from government, for-profit, and nonprofit cybersecurity threat information providers. IDA developed the Cybersecurity Threat Information Sharing (CTIS) Framework – based on the recently released NIST Cybersecurity Framework – to help establish concepts, metrics, and measures to understand the cybersecurity threat information-sharing landscape. This work will help inform DHS policy and program decisions.
Threat Analysis for Critical Infrastructure Guidance/Risk and Risk Management Capabilities Development
The Homeland Security Act of 2003 and the Homeland Security Presidential Directive 7 call for the Department of Homeland Security to conduct comprehensive assessments of the nation's critical infrastructure as well as establish uniform policies, approaches, guidelines, and methodology for integrating Federal infrastructure and protection and risk management activities. In response, DHS initiated the National Comparative Risk Assessment (NCRA). IDA supported the NCRA through development and application of the Common Risk Model (CRM). The CRM defines risk as follows: Risk = (probability of attack) × (probability of attacker success given an attack) × (Attack Consequences). IDA Document D-3442, Information in Support of National Comparative Risk Assessment: Determining Probability of Success Given an Attack Volume 1: Main Report (September 2007), develops the method for determining probability of attacker success given an attack (P(S|A)) within the CRM, and presents initial estimates of P(S|A) across a broad range of scenarios. These scenarios include various land attacks, water-borne attacks, airplane attacks, and attacks using cyber means. The estimates were produced through guided discussions involving groups of subject matter experts (SMEs) and were validated by independent SME teams.
A subsequent paper, IDA Paper P-4226, National Comparative Risk Assessment Pilot Project; Cyber Intrusion Analysis-Process Control System (June 2007), describes in detail application of the Common Risk Model to cyber attacks. IDA’s cyber experts identified alternative cyber defensive configurations and assessed their robustness against a variety of cyber threats. IDA researchers then estimated the consequences for each of the potential threats, focusing on the likely effects of cyber attacks on oil, gas, and electrical infrastructures. The IDA work showed that: (1) cyber defensive configurations can be characterized using simple questionnaires; (2) data from actual accidents and incidents provides an excellent start for estimating consequences; (3) probabilities of success given an attack, while subjective, can be derived in a manner that allows useful comparative assessments of alternative cyber defense postures; and (4) owners of specific infrastructure assets should be engaged in creating return-on-investment models for security measures. This IDA work helped resolve an internal DHS debate about whether the Common Risk Model could be applied to cyber intrusion scenarios.
In 2010, DHS asked IDA to develop doctrinal guidelines for operationalizing a framework for quantifying risk, with a specific focus on quantitatively estimating the vulnerability of assets and systems comprising the nation’s critical infrastructure. IDA focused on vulnerability for three reasons. First, its definition and how it is applied to critical infrastructure is far less understood than the concepts of threat and consequence. Second, a sound approach for quantifying vulnerability will improve the methodologies for quantifying risk for critical infrastructure. Third, clearly defining vulnerability is key to developing commensurate risk metrics across the 18 critical infrastructure and key resources (CIKR) sectors. When systems vulnerability and asset vulnerability protected by layered defenses are compared side-by-side, the overall recommendation is to define vulnerability as the expected value of loss given a scenario occurrence in both cases. This requires that vulnerability for layered defenses be re-interpreted as the product of the joint probability of successfully penetrating all relevant defensive layers, and consequences. IDA sought to define a set of concepts and computational methods for quantifying vulnerability in a way that the resulting risk calculations produce commensurable risk metrics regardless of whether the risks are related to systems or isolated assets, or due to natural hazards or adversarial threats. See IDA Document D-4477, Doctrinal Guidelines for Quantitative Vulnerability Assessments of Infrastructure-Related Risk Volume 1 (December 2011).
Presentations, Articles, Publications:
PRESENTATION: Anti-Terrorism: Are there Borders in Cyber Space? at ASIS New York City Security Conference and Expo, April 27-28, 2016, hosted by IDA’s Dr. Deena Disraelly, Chair of the ASIS Global Terrorism, International Crime, and Political Instability Council; and featuring IDA Assistant Director Laura O’Dell.
PRESENTATION: Cybered Alliances, Spheres and Independents presented at the Center for Cyber Conflict Studies 3rd Biennial Workshop, U.S. Naval War College, September 22, 2015, Newport, Rhode Island, by IDA’s Dr. David Mussington who served as a panelist. U.S. Naval War College Public Affairs Article
PRESENTATION: Cybersecurity Workforce Panel: Discussions on opportunities to engage and grow the cybersecurity workforce hosted by IDA, August 2015, and featuring Renee Forney and Douglas Maughan, Department of Homeland Security; Robert Knake, Council on Foreign Relations; and Stephen Olechnowicz and Brendan Farrar-Foley, IDA ITSD.